Federation Security Services Guide › Identify Service Providers for a SAML 2.0 Identity Provider › Protect the Artifact Resolution Service with Client Certificate Authentication (optional) › Create the Artifact Resolution Service Policy

Create the Artifact Resolution Service Policy

To create a policy for the Artifact Resolution Service

1. For each Service Provider, add an entry to a user directory. You can create a new user store or use an existing directory.

   Create a separate user record for each affiliate site that retrieving assertions from the Identity Provider.

   An attribute of the user record should have the same value that is specified in the Name field of the Service Provider Properties dialog box.

   For example, if you identified the affiliate as Company A in the Name field, the user directory entry should be:

   uid=CompanyA, ou=Development,o=partner

   The Policy Server will map the subject DN value of the Service Provider's client certificate to this directory entry.

2. Add the configured user directory to the FederationWebServicesDomain.
3. Create a certificate mapping entry.

   The value for the Attribute Name field in the Certificate Mapping Properties dialog box should be mapped to the user directory entry for the Service Provider. The attribute represents the subject DN entry in the Service Provider's certificate. For example, you may select CN as the Attribute Name, and this represents the Service Provider named cn=CompanyA,ou=Development,o=partner

4. Configure an X509 Client Certificate authentication scheme.
5. Create a realm under the FederationWebServicesDomain containing the following entries:
   • Name: <any_name>

     Example: cert artifact resolution

   • Agent: FederationWebServicesAgentGroup
   • Resource Filter: /affwebservices/saml2certartifactresolution
   • Authentication Scheme: client cert auth scheme created in the previous step.
6. Create a rule under the cert artifact resolution realm containing the following:
   • Name: <any_name>

     Example: cert artifact resolution rule

   • Resource: *
   • Web Agent Actions: GET, POST, PUT
7. Create a Web Agent response header under the FederationWebServicesDomain.

   The Artifact Resolution Service uses this HTTP header to make sure that the Service Provider for which the SAML assertion was generated is the one actually retrieving the assertion.

   Create a response with the following values:

   • Name: <any_name>
   • Attribute: WebAgent-HTTP-Header-Variable
   • Attribute Kind: User Attribute
   • Variable Name: consumer_name
   • Attribute Name: enter the use directory attribute that contains the Service Provider name value. For example, the entry could be uid=CompanyA.

   Based on these entries, the Web Agent will return a response named HTTP_CONSUMER_NAME.

8. Create a policy under the FederationWebServicesDomain containing the following values:
   • Name: <any_name>
   • User: Add the users from the user directory created in previously in this procedure
   • Rule: <rule_created_earlier_in_this_procedure>
   • Response: <responsecreated_earlier_in_this_procedure>
9. Complete the configuration steps at the Service Provider to use client certificate authentication, if they are not completed already.